Summary

A simple, faked ident daemon.

Overview

fauxident is a small Python script that will act as an extremely
naive ident server, answering all ident requests with a consistent
response -- either an ERROR or a USERID response. This can be
advantageous on systems where running a true identd is
unavailable, where it would be a security risk, or when
masquerading firewalls are in use, where multiple machines are
involved behind the firewall and running a proper ident system is
not an option.

Requirements

License

Introduction

An ident server is intended to get information on correlations
between client and server ports on a machine, and connect them to
the user involved with using it. ident is used implicitly by some
other services; for instance, many IRC servers check for ident
responses from connecting clients, and some in fact will reject
clients which do not have an ident server running.

The intent of this program is to allow users who cannot otherwise
run identd servers (either for security or network topology
reasons) to set up something that will respond, albeit trivially,
with an ident response. Note that the server does understand the
ident protocol enough to be able to detect, and response with the
proper error messages to, malformed queries.

The fauxident.py program should be run from the command line. By
default it will act as a daemon. Also, since it binds to port 113
by default, root access is required. Any server that is already
bound to port 113, of course, will prevent fauxident.py from
running.

Invocation

The following command line options alter the behavior of the
program as follows:

Keep the program in the foreground (and
stdout/stderr open); by default, if the server can be created,
the script will daemonize itself.

-r/--realm (realm)

In a valid response, the realm in which the
reponse takes place. By default this is UNIX.

-u/--user (user)

In a valid response, the user associated
with the realm. By default this is user. This can also be a
comma-separated list of names, of which a random one will be
chosen for each connection.

-m/--permute

In a valid response, randomly shuffle the
letters of the user name before responding.

-s/--suffix (length)

In a valid response, append a random
number of the specified number of digits (padded to the left
with zeroes) to the end of the user response.

-e/-E/--error (error)

Cause the specified error to be the
response for otherwise valid queries, if that should be so
desired. The response should be one of INVALID-PORT,
NO-USER, HIDDEN-USER, or UNKNOWN-ERROR. (Other responses
are allowed, but have no meaning according to the RFC.)

-N/--no-user

Shortcut for -e NO-USER.

-H/--hidden-user

Shortcut for -e HIDDEN-USER.

Sample usage

By default the server will start in the background and bind to the
standard port and respond to all queries as if the port pair were
owned by the user user in the realm 'UNIX':

./fauxident.py

An alternate interface and/or port can be chosen:

./fauxident.py -a 10.0.0.1 -p 8113

Different realms and user names can be chosen. For instance, to
have the server respond as nobody under the realm OTHER, use:

./fauxident.py -r OTHER -u nobody

Multiple names can be specified, separated by commas (with no
intervening spaces), and one will be selected randomly each time:

./fauxident.py -u larry,curly,moe

The -m option can be include which causes the user to be randomly
permuted (the letters shuffled) each time the name is
generated (but before the suffix, if any, is appended):

./fauxident.py -u noname -m

Additionally, the -s option can be used to specify a suffixed
random number (padded with zeroes) of the given length in each
response:

./fauxident.py -u resu -s 4

This last example will respond each time with a different
randomized name with a four-digit suffixed random number, e.g.,
resu3759.

One can also configure the server to always respond with errors:

./fauxident.py -N
./fauxident.py -H

Wish list

This obviously could eventually be turned into a full-fledged,
or perhaps under limited control, identd service.